November 4, 2019
Adam Cook, Philip Doherty, and Viktoria Austin host this week’s ShadowTalk update around an unsecured Elasticsearch database exposing account information of aboutt 7.5 million Adobe Creative Cloud users.
The team then looks at the news story around the City of Johannesburg experiencing a ransomware attack as well as APT28 (aka Fancy Bear) targeting anti-doping authorities and sporting organizations.
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
- In the spotlight this week: A card skimming operation targeted the online retailer First Aid Beauty and evaded notice for months. Reporting on the attacks highlighted the confusion surrounding the name “Magecart”. Typically, Magecart has been referred to as a collection of threat groups operating under one umbrella term; however, recent reporting suggests those groups may instead be connected to sophisticated, financially motivated threat actors, and may only be united in their use of the same tactics.
- Weekly highlights include: a new remote-access trojan (RAT) dubbed NukeSpeed, which has been linked to the “Lazarus Group”; the “Raccoon” information stealer (infostealer) malware, which has become increasingly popular among cybercriminals in 2019; and “APT28” targeting anti-doping authorities and sporting organizations around the world.
Magecart skimming evades attention as name breeds confusion
A card skimming attack on the website of United States-based retailer First Aid Beauty went undetected for months: a stark reminder of the growing threat attached to this tactic. Although in this case the perpetrator has not been identified, one source referred to Magecart, which is often taken to mean a threat group umbrella. Another source also mentioned Magecart but as an attack method, not a group/s. This draws attention to pervasive confusion surrounding the name Magecart. In addition, there is an emerging body of evidence that Magecart groups operate independently, rather than connected under an umbrella, and that they are linked to sophisticated, financially motivated threat actors. This has broadened their targeting to include small and mid-sized online retailers, although the threat to large businesses remains significant. An increase in card skimming campaigns will likely be observed during the short-term future (next three months), coinciding with the Christmas shopping period.
New Lazarus Group RAT sniffed out
A new RAT dubbed NukeSpeed has been linked to Lazarus Group, a North Korean state-associated threat group. The malware contains a variety of typical RAT functionalities, including the ability to launch payloads, read files, and connect to a remote host. The application programming interface (API) names in NukeSpeed have been encrypted to evade static malware analysis. Attribution to Lazarus Group was based on the pattern of encrypted strings used, plus the RAT’s functionality overlap with the Lazarus RAT “FallChill” (detected in November 2017).
Raccoon infostealer malware grows in popularity
The information-stealing malware Raccoon has become highly active during 2019. Although not particularly sophisticated, Raccoon can steal various data, including credit card information, cryptocurrency wallet details, browser data, and email credentials. The infostealer has reportedly infected systems across North America, Europe, and Asia. Raccoon is available for sale on hacking forums and was developed by a team that researchers say is seemingly Russian. Raccoon has received positive feedback and reviews on hacking forums, which is likely one of the reasons it quickly grew in popularity during 2019.
APT28 attacks anti-doping authorities, sporting entities
The Russian state-associated threat group APT28 (aka Strontium, Fancy Bear) targeted at least 16 anti-doping authorities and sporting organizations around the world in an attack campaign that began on 16 Sep 2019. Reporting did not specify technical details of how the attacks took place, but did confirm that the tactics were similar to those used in recent APT28 campaigns, including the use of spearphishing, password spraying, and open-source and custom malware, and the exploitation of Internet-connected devices.
For more details, read the full Weekly Intelligence Summary here: